cbcvebase.
CVE-2026-49740
published 2026-06-09

CVE-2026-49740: TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class…

PriorityP336medium6.3CVSS 4.0
AVLACLATNPRLUINVCNVILVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.21%
11.9th percentile
TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3.

Affected

10 ranges
VendorProductVersion rangeFixed in
typo3cms-core>= 0 < 10.4.5710.4.57
typo3cms-core>= 11.0.0 < 11.5.5111.5.51
typo3cms-core>= 12.0.0 < 12.4.4612.4.46
typo3cms-core>= 13.0.0 < 13.4.3113.4.31
typo3cms-core>= 14.0.0 < 14.3.314.3.3
typo3typo3_cms< 10.4.5710.4.57
typo3typo3_cms>= 11.0.0 < 11.5.5111.5.51
typo3typo3_cms>= 12.0.0 < 12.4.4612.4.46
typo3typo3_cms>= 13.0.0 < 13.4.3113.4.31
typo3typo3_cms>= 14.0.0 < 14.3.314.3.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.